RDP connectio to SRSS 4.2
Hello,
Is it possible to make a RDP connection to the SunRay server? instead of using the soft client? I know this is possible when running VDI3 but I can't get it to work with SRSS4.2. I'm missing something?
Gr,
Peter
No it isn't. The reason it's possible with is VDI3 has a RDP broker that connects the incoming RDP session to either the VirtualBox RDP server or Windows RDP server. Sun Ray Software doesn't have a RDP server, just the client, UTTSC.
Similar Messages
-
SRSS 4.2 NumLock xset No Longer Working
Dear All,
I have been using SRSS 4.1 with a custom kiosk which uses 'xset led 1' to turn number-lock on for each new session. On upgrading to SRSS 4.2 (or rather installing 4.2 fresh) this no longer works. Does anybody know if this is a bug with SRSS 4.2?
Many thanks.
ChrisHello Hartofiowa,
I'm using custom kiosk scripts at the moment which provide access to several different environments - i.e. RDP either to virtual PCs or Terminal Servers or ICA to Citrix published desktops - depending on parameters passed from our token 'other information' fields.
The kiosk itself is called the 'Generic X Kiosk' and just provides an x-session for the custom scripting we have to work on. If you look at the scripts that run for the 'Sun Ray Connector for Windows OS' they're basically doing the same thing except that they only call the uttsc program which provides access to RDP hosts. The argument we pass to the Generic X Session is just the path to the custom script that does all the work of connecting to specific host types.
Part of the custom script has the command 'xset led 1' which turns Num-Lock on. As previous posts have suggested this only works if you disable the XKB extensions.
If you're not sure then I really wouldn't reccommend hacking around with anything until you've either done the training or spoken to someone with more experience than me (most people I expect) - there are quite a few consultancy companies who are usually more than willing to lend a hand with this kind of thing. Alternatively you can contact Sun and they should be able to point you in the right direction.
Cheers.
Chris -
Win2k8 Remote Control Not Working With SRSS 4.2 + SRWC 2.2
Hi there.
I have an install of Windows Server 2008 (32bit) with SRSS 4.2 & SRWC 2.2 setup. I was previously on SRSS 4.1 & SRWC 2.1 and having the same issue I am having now, which to me tells me this problem is unresolved or i'm being a total muppet. (hopefully not the last one)
Windows Terminal Server environments has this awesome remote control feature where you can login to an RDP session which is already active and take control of the session while the end user is still logged in.With Server 2003 this works perfectly fine- it's brilliant. WIth 2008 it is a nightmare. It works for a split second and then closes off. The end users session also gets locked out (not logged out) and they have to put their windows credentials in to carry on working again.
Now... I can remote control users who are logging in via Remote Desktop on Windows XP/Vista etc.. but I can't with the Sun Ray Sessions. Does the SRWC 2.2 fully compatible with RDP 6.1 or is there any information anyone can give me to point me in the right direction of resolving this issue, like I said.. Win 2k3- Works like a dream....
Any help would be greatly appreciated.
Regards
- Joe.I just realised I hadn't posted the logs from SRSS Server with the issues. I have just tried on another WIN2K8 Server which wasn't configured by myself or my company and the same symptoms occurred. See logs below:
Oct 1 10:58:06 ESL-SOLARIS-SPARE kiosk:uttsc[4095]: [ID 702911 user.notice] /opt/SUNWuttsc/bin/uttsc[104]: 4116 Abort
Oct 1 10:58:06 ESL-SOLARIS-SPARE Sun Ray Connector proxy:[4117]: [ID 855542 user.error] Child closed socket prematurely, session shutdown
Oct 1 10:58:06 ESL-SOLARIS-SPARE kiosk:uttsc[4123]: [ID 702911 user.error] /opt/SUNWuttsc/bin/uttsc exited with error code 134 - exiting
Oct 1 10:58:06 ESL-SOLARIS-SPARE kioskcrit: [ID 702911 user.notice] Info: critical application uttsc (pid=3902) exited with non zero status: 134
Oct 1 10:58:06 ESL-SOLARIS-SPARE kioskcritd[3752]: [ID 422571 user.info] Info: a critical application has exited.
Oct 1 10:58:06 ESL-SOLARIS-SPARE kioskcritd[3752]: [ID 126805 user.info] Terminating Kiosk Primary Session ( pid=3902 )
Oct 1 10:58:06 ESL-SOLARIS-SPARE kioskcritd[3752]: [ID 308018 user.info] kioskcritd stopped
Oct 1 10:58:07 ESL-SOLARIS-SPARE utauthd: [ID 794400 user.info] SessionManager0 NOTICE: EMPTY: ACTIVE session
Oct 1 10:58:15 ESL-SOLARIS-SPARE kiosk:utkioskconfig:refresh[4381]: [ID 702911 user.info] Enabled Kiosk Mode for display ':2'
Oct 1 10:58:15 ESL-SOLARIS-SPARE dtlogin[4274]: [ID 118685 user.info] pam_sunray_amgh::[DPY=2] AMGH_SUMMARY: token=pseudo.00144fb78760, username=, AMGH_Done?=NO(Local Session), Details=AMGH is not configured., AMGH_Target=*NONE*
Oct 1 10:58:15 ESL-SOLARIS-SPARE dtlogin[4274]: [ID 976841 user.info] pam_kiosk: pam_sm_authenticate: Initiating Kiosk session with user utku2
Oct 1 10:58:15 ESL-SOLARIS-SPARE kioskcritd[4420]: [ID 190395 user.info] kioskcritd started
Oct 1 10:58:57 ESL-SOLARIS-SPARE Sun Ray Connector proxy:[4612]: [ID 855542 user.error] Child closed socket prematurely, session shutdown
Anyone able to help me out? -
Srss 4.2 + srwc 2.2 Flash issue
I have installed the new SRSS 4.2 and SRWC 2.2 (EA1). The server is running Solaris 5/09 (u7) on a x86 server with 8 GB server. (physical box)
I have installed the MMR plugin on the windows XP SP 3 machine which as IE 8 with FLASH 10AX.
I have tried both a physical and a virtual XP machines as well as physical and virtual SRSS servers. This doesn't not seem to have any impact.
I am trying to play this video http://www.youtube.com/watch?v=zz902h6XxR0 which ive seen play smoothly on a sunray demo, but i cannot reproduce it. This video seems to play fine http://www.youtube.com/watch?v=Kf4PjtBqCcQ&feature=popular
Video seems to be smoothest when the FLASH redirection is disabled (uttsc -F off) at which point it is just run through the RDP protocol... Isnt this the opposite of what is supposed to happen?
The audio does stay synced and is smooth, however the FLASH video does NOT appear to have improved at all. Is there something im missing?
I will be happy to provide more information on my environment.
thanks
Pete
Edited by: psorensen on Aug 18, 2009 12:36 PMpsorensen wrote:
I have installed the new SRSS 4.2 and SRWC 2.2 (EA1). The server is running Solaris 5/09 (u7) on a x86 server with 8 GB server. (physical box)
I have installed the MMR plugin on the windows XP SP 3 machine which as IE 8 with FLASH 10AX.
I have tried both a physical and a virtual XP machines as well as physical and virtual SRSS servers. This doesn't not seem to have any impact.
I am trying to play this video http://www.youtube.com/watch?v=zz902h6XxR0 which ive seen play smoothly on a sunray demo, but i cannot reproduce it. This video seems to play fine http://www.youtube.com/watch?v=Kf4PjtBqCcQ&feature=popular
I don't see any significant issues with the first video (the second one has been removed from YouTube since). What DTU are you using (it works fine with the Sun Ray 2 and 2FS here). How bad is it exactly? Do you see the blue interception icon in the tray while playing (if you move the mouse over it, does the tooltip mention SunFlash)? Do you have enough network bandwidth between the Sun Ray server and the DTU (and the Sun Ray server and the Windows server)? About 6.5 Mbit/s is needed at least for a YouTube video. Is the firmware of the DTU updated to the firmware of the Sun Ray EA release you are testing?
>
Video seems to be smoothest when the FLASH redirection is disabled (uttsc -F off) at which point it is just run through the RDP protocol... Isnt this the opposite of what is supposed to happen?Yes, it should be better when -F is not used.
Laszlo -
Help Please - Random Session Freezes with SRSS 4.2
Dear All,
I've just moved about 12 users over to a cluster of two SRSS 4.2 boxes with twin quad-core CPUs and 32GB RAM and they're all suffering with session freezes - I've got no idea why does anyone have any clues what might be happening.
I've given the boxes about 90GB of swap each so I don't think that's the issue.
Many thanks.
ChrisI've applied a new version of Xnewt (as per this post here: http://forums.sun.com/thread.jspa?threadID=5410724) kindly sent to me by Roberto from Sun. Touch wood things seem to be OK again.
The main cause appeared to be when users were opening file dialogue boxes in MS Office applications either via Citrix or RDP sessions. Examples included opening documents in Word/Excel and adding/saving attachments to e-mails in Outlook.
I will update if anything further happens. -
I am just starting to play with Sun Ray and so far so good apart from a few minor hiccups.
Setup: Sun Ray 270; Solaris 10/09; SRSS 5.2; SRWC 2.2
RDP from the java desktop is working fine at the default 640x480 as well as all resolutions stipulated by the uttsc -g command, however, using the uttsc -m (fullscreen) fails.
I run it from a terminal window and it just hangs doing nothing. I have to open another terminal and kill the PID to stop it.
I've tried this to a number of different windows machines/OSs with the same result.
Resetting the SR270 to kiosk mode and going direct to those same machines works perfectly.
Any thoughts?
Thanks, Klaus.Installed uttscwrap and the issue has been resolved, and I can't replicate it.
-
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
Cannot find dashboard and reports after upgrading rdp from 10g to 11g OBIEE
Hi all
I am trying to upgrade from OBIEE 10g to 11g. These two products are installed on different servers. I have followed the guide: http://www.oracle.com/technetwork/issue-archive/2011/11-jul/o41bi-402913.html and everything seems to work fine.
So i have taken a copy of rdp from the server where was installed OBIEE 10g and took it in the server where OBIEE 11g is installed.
Ran the upgrade tool and upgrade finished successfully. Restarted the BI Servers in core application on Enterprise Manager.
Now when i access the upgraded rpd, the layers and the fields are fine but I cannot find all the reports and dashboards that i had created.
Am I missing any upgrade steps?
Please suggest
Thank you and best regardsHi Deepak,
Thanks for your response.
Oracle also came back to me and looks like my method is not valid:
Hi Jim,
Thanks a lot for the information. First of all I would like to inform you that upgrade CANNOT be performed across two machine. So, if 10g installation is on Host A, then upgrade to 11g will be on Host A.
So, in your scenario this is what you can do:
1. On Host A running Forms/Discoverer 10g on Windows 2003, install Forms/Discoverer/Reports 11g (11.1.1.6.0)
2. Run the upgrade Assistant to perform the upgrade from 10g to 11g.
3. Now upgrade OS of Host A to Windows 2008
In short, I would like to inform you that upgrades across machines does not work. Source instance which is 10g and destination instance which is 11g must exist on same box.
Here is the documentation which you can follow:
http://docs.oracle.com/cd/E23943_01/upgrade.1111/e10130/toc.htm
(Oracle® Fusion Middleware Upgrade Guide for Oracle Portal, Forms, Reports, and Discoverer)
11g Release 1 (11.1.1)
Let me know if you have any further questions.
Thanks,
Rishi -
Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2
1. Client Os : Windows 7 Pro
2. Server OS : Windows Server 2012R2 with RDS broker and RDS Gateway server with 3.part Certificate with friendly name sky.mti-itservice.no activated.
The main problem is following: The RDP logon session never ends
Any ideas ?
Regards
Kenneth Knudsen
Email : [email protected]
mvh Kenneth Knudsen MCSE 2003 HP ASEHi Kenneth,
Here for your case suggest you to configure RDP session time limit so that your user can disconnect\log off once the specific time limit reached.
You can setup the session time limit in different method.
1. Open the Server Manager, select Remote Desktop Services.
2. In Remote desktop Services, in right side you can drop down to collections.
3. Select the collection which you want to edit the settings.
4. Under collections Properties, select Task and then Edit Properties.
5. In Properties dialog box, select Session.
6. You can find all thetimeout settings under session collection properties; edit according to your requirements and then OK.
And apart also by group policy setting as below.
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
- Set time limit for disconnected sessions
- Set time limit for active but idle Remote Desktop Services sessions
- Set time limit for active Remote Desktop Services sessions
- End session when time limits are reached
Please check which setting suitable for your environment and you can apply for your case.
[Forum FAQ] Restrict number of Active Sessions in RDS 2012 and 2012 R2
https://social.technet.microsoft.com/Forums/en-US/00c2252b-8ec0-489f-8da2-07a434a9b5a2/forum-faq-restrict-number-of-active-sessions-in-rds-2012-and-2012-r2?forum=winserverTS
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Disabling RDP Compression on Windows Server 2012 R2
Hi
On Windows 2008 R2, we could disable RDP compression via GPO by configuring "Do not use an RDP compression algorithm" in the following GPO
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Set compression algorithm for RDP data
It seems like with the Windows Server 2012 R2 GPO's, this setting is no longer available? How do we disable RDP compression so that we can use it with Riverbed products?
ThanksHi,
How is the issue going now? Is there any update?
Thanks.
Jeremy Wu
TechNet Community Support -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Problem Summary:
A UTF-8 without BOM Web RoE XML file output from a line of business application will not drag and drop copy nor copy/paste from a Server 2012 R2 RD Session Host running RD Gateway to a Windows 7 Remote Desktop client over an RDP 8.1 connection and the Drive
Redirection virtual channel hangs. The same issue affects a test client/server with only Remote Desktop enabled on the server.
Other files copy with no issue. See below for more info.
Environment:
Server 2012 R2 Standard v6.3.9600 Build 9600
the production server runs RDS Session Host and RD Gateway roles (on the same server). BUT,
the issue can be reproduced on a test machine running this OS with simply Remote Desktop enabled for Remote Administration
Windows 7 Pro w SP1v6.1.7601 SP1 Build 7601 running updates to support RDP 8.1
More Information:
-the file is a UTF-8 w/o BOM (Byte Order Marker) file containing XML data and has a .BLK extension. It is a Web Record of Employment (RoE) data file exported from the Maestro accounting application.
-the XML file that does not copy does successfully validate against CRA's validation XML Schema for Web RoE files
-Video redirection is NOT AFFECTED and continues to work
-the Drive Redirection virtual channel can be re-established by disconnecting/reconnecting
-when the copy fails, a file is created on the client and is a similar size to the original. However, the contents are incomplete. The file appears blank but CTRL-A shows whitespace
-we can copy the contents into a file created with Notepad and then that file, which used to copy, will then NOT copy
-the issue affects another Server 2012 R2 test installation, not just the production server
-it also affects other client Win7 Pro systems against affected server
-the issue is uni-directional i.e. copy fails server to client but succeeds client to server
-I don't notice any event log entries at the time I attempt to copy the file.
What DOES WORK
-downgrading to RDP 7.1 on the client WORKS
-modifying the file > 2 characters -- either changing existing characters or adding characters (CRLFs) WORKS
-compressing the file WORKS e.g. to a ZIP file
-copying OTHER files of smaller, same, and larger sizes WORKS
What DOES NOT WORK?
-changing the name and/or extension does not work
-copying and pasting affected content into a text file that used to have different content and did copy before, then does not work
-Disabling SMB3 and SMB2 does not work
-modifying TCP auto-tuning does not work
-disabling WinFW on both client and server does not work
As noted above, if I modify the affected file to sanitize it's contents, it will work, so it's not much help. I'm going to try to get a sample file exported that I can upload since I can't give you the original.
Your help is greatly appreciated!
Thanks.
KevinHi Dharmesh,
Thanks for your reply!
The issue does seem to affect multiple users. I'm not fully clear on whether it's multiple users and the same employee's file, but I suspect so.
The issue happens with a specific XML file and I've since determined that it seems to affect the exported RoE XML file for one employee (record?) in the software. Other employees appear to work.
The biggest issue is that there's limited support from the vendor in this scenario. Their app is supported on 2012 R2 RDS.
What I can't quite wrap my head around are
why does it work in RDP 7.1 but not 8.1? What differences between the two for drive redirection would have it work in 7.1 and not 8.1?
when I examine the affected file, it really doesn't appear any different than one that works. I used Notepad++ and it shows the encoding as the same and there doesn't appear to be any invalid characters in the affected file. I wondered
if there was some string of characters that was being misinterpreted by RDP or some other operation and blocked somehow but besides having disabled AV and firewall software on both ends, I'm not sure what else I could change to test that further
Since it seems to affect only the one employee's XML file AND since modifying that file to change details in order to post it online would then make that file able to be copied, it seems I won't be able to post a sample. Too bad.
Kevin -
ASA 5505 + ASA 5540 static VPN, ssh and rdp problems
Greetings!
I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
Everything works fine, but there is a small problem that is really annoying me.
From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
What can I do to get rid of this problem?
Thanks in advance.Dear Fedor,
You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
class-map TCP_TIMEOUT
match access-list rdp_ssh
policy-map global_policy
class TCP_TIMEOUT
set connection timeout idle 0:30:00
set connection timeout half 0:30:00
* Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
Let me know.
Portu.
Please rate any post you find useful. -
RDP from inside to outside using PAT?
I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT. Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance
Hello Sandeep,
In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
Hope it helps
Harish. -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason
Maybe you are looking for
-
I have upgraded my Itunes to a Windows 8 Computer but now movies will not upload to my video ipod
Hi, Firstly thanks for clicking on to read this!! I have been using an oldish computer for years for my Itunes, and having just purchased a Samsung touch screen computer with Windows 8 I have transfered all my Itunes over to the new computer. All the
-
Creating a pop-up in Acrobat X that is triggered when the PDF is opened.
Hello all, I am wanting to create a pop-up that is triggered when the PDF is opened. The problem I am facing is that our customers are filling out the packet , but are not using the purple "Submit" button located at the top of the page to submit the
-
Smartform in priprinted format
Dear Expert Here I have develop a smartforms for excise invoice, but there is requirement for print the smartform in pri printed format , please tell me how can i do this. With Best Regards Girdhari Mondal
-
Adobe JavaScript printing page selection
Hello, 1) I succeeded printing documents using JavaScript with pp.firstPage and pp.lastPage. Now I would like to print several single pages (e.g. pages 4, 7, 10) within a single print job. If I make several print jobs, the paper is ejected after each
-
Locking down the Optimize Scanned PDF checkbox
Hello, Is there a way to grey out or lockdown the "Optimize Scanned PDF" option when Creating a pdf from a scanner? I can't seem to find if there is a registry key or location for this option. Also where does Acrobat store the "Defaults" for these pr